Vulnerabilities / Threats

12/22/2016
01:40 PM
Steve Zurier
Steve Zurier
Slideshows
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Inside The Vulnerability Disclosure Ecosystem

Report released by NTIA stakeholders offers new information on how organizations respond to security vulnerabilities - and what researchers think.
Previous
1 of 7
Next

Image Source: Pixabay

Image Source: Pixabay

A new National Telecommunications and Information Administration (NTIA)-led study of how security researchers and software vendors handle and view vulnerability disclosure provides rare insight into both sides of the equation.

NTIA formed a team of stakeholders from the software industry, security researchers, and industry at large to study how the various players could build a higher level of trust when it comes to disclosing vulnerability information.

“Having more disclosure won’t solve all our security challenges,” says Allan Friedman, director of cybersecurity initiatives at the NTIA. “But it will build a more collaborative environment where organizations can respond to and have good relationships with [stakeholders] in the security field.”

One of the three working groups formed by the NTIA conducted two surveys, one of security researchers and another of software vendors. The researchers survey received 414 responses, and the software vendor study received 285.

On the plus side, 92% of security researchers surveyed say they participate in some form of security disclosure, but 60% say threat of legal action could potentially deter them from working with a vendor to disclose a vulnerability  

And while 76% of vendors say they look internally to develop vulnerability handling procedures, only one in three require third parties to develop their own vulnerability handling procedures.  

“Cleary there needs to be more work done in working with third parties,” says Friedman. “Especially when so many of the high-profile breaches involved third parties.”

NTIA published three papers from the study, and here are some key takeaways:  

 

Steve Zurier has more than 30 years of journalism and publishing experience, most of the last 24 of which were spent covering networking and security technology. Steve is based in Columbia, Md. View Full Bio

Previous
1 of 7
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Meet 'Bro': The Best-Kept Secret of Network Security
Greg Bell, CEO, Corelight,  6/14/2018
Containerized Apps: An 8-Point Security Checklist
Jai Vijayan, Freelance writer,  6/14/2018
Four Faces of Fraud: Identity, 'Fake' Identity, Ransomware & Digital
David Shefter, Chief Technology Officer at Ziften Technologies,  6/14/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-0363
PUBLISHED: 2018-06-21
A vulnerability in the web-based management interface of Cisco Unified Communications Manager IM & Presence Service (formerly CUPS) could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected device. The vulne...
CVE-2018-0364
PUBLISHED: 2018-06-21
A vulnerability in the web-based management interface of Cisco Unified Communications Domain Manager could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected device. The vulnerability is due to insufficient CSR...
CVE-2018-0365
PUBLISHED: 2018-06-21
A vulnerability in the web-based management interface of Cisco Firepower Management Center could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack and perform arbitrary actions on an affected device. The vulnerability is due to insufficient CSRF protecti...
CVE-2018-0371
PUBLISHED: 2018-06-21
A vulnerability in the Web Admin Interface of Cisco Meeting Server could allow an authenticated, remote attacker to cause a denial of service (DoS) condition. The vulnerability is due to insufficient validation of incoming HTTP requests. An attacker could exploit this vulnerability by sending a craf...
CVE-2018-0373
PUBLISHED: 2018-06-21
A vulnerability in vpnva-6.sys for 32-bit Windows and vpnva64-6.sys for 64-bit Windows of Cisco AnyConnect Secure Mobility Client for Windows Desktop could allow an authenticated, local attacker to cause a denial of service (DoS) condition on an affected system. The vulnerability is due to improper ...